Ramblings about security, rants about insecurity, occasional notes about reverse engineering, and of course, musings about malware. What more could you ask for?

Thursday, January 12, 2017

Shadow Brokers - Russian thoughts?

Who are the Shadow Brokers? Are they nation state? If so, are they Russian government or Russian government sponsored?

The timing of the latest releases certainly makes that seem likely. Along with the release of the GRIZZLY STEPPE report detailing Russian hacking, a number of Russian "diplomats" (probably spies) were kicked out of the US. Apparently we also took their summer vacation home.

One week later, the Shadow Brokers released a dump including a file listing of Windows tools supposedly stolen from US intelligence agencies. They also posted screenshots detailed here and here. It's hard not to see this as a retaliation for the US expelling the Russian diplomats. If it's not a retaliation, make no mistake about it: the Shadow Brokers knew that analysts would likely come to this conclusion.

But then in the early morning of January 12th, 2017 the Shadow Brokers dumped 61 Windows binaries (.dll, .exe, and .sys files). They claim they only dumped the 58 tools that were detected by Kaspersky AV, but the dump contained 61 files. A little anonymous birdie told me that Kaspersky only detects 43 of these files as of mid-day on the 12th. I don't like Russian software on my machines so I can't confirm whether or not that's true.

Shadow Brokers "final message"

So why dump the actual files themselves? I think that since the dump of the filenames on Sunday there's been a lot of behind the scenes diplomatic talks and Russia decided the US wasn't taking them seriously. In this case, releasing 61 files is a good way to be taken seriously, while holding back a huge cache of files. "Feel some pain, but know we can hurt you again and again and again."

Of course, I could totally be wrong about this, but it sure is fun to watch what appear to be two country's intelligence agencies battle it out in public.